netbsd-bugs: bin/491: /etc/ftpusers and /etc/ftpchroot do nothing.

Subject: bin/491: /etc/ftpusers and /etc/ftpchroot do nothing.
To: None <gnats-admin@sun-lamp.cs.berkeley.edu>
From: matthew green <mrg@splode.mame.mu.OZ.AU>
List: netbsd-bugs
Date: 09/20/1994 08:05:04

>Number:         491
>Category:       bin
>Synopsis:       /etc/ftpusers and /etc/ftpchroot are not used by ftpd(8), security
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    gnats-admin (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 20 08:05:03 1994
>Originator:     matthew green
>Organization:
bozo software foundation.
>Release:        
>Environment:
System: NetBSD splode.mame.mu.OZ.AU 1.0_BETA NetBSD 1.0_BETA (_splode_) #23: Sat Sep 17 08:30:19 EST 1994 mrg@splode.mame.mu.OZ.AU:/splode/src/sys/arch/sparc/compile/_splode_ sparc


>Description:
	
any users listed in /etc/ftpusers and /etc/ftpchroot can continue
to ftp in without being rejected, or chrooted to their $HOME.  this
evades the security that /etc/ftpusers and /etc/ftpchroot are
supposed to provide.  ouch.

>How-To-Repeat:

add root to /etc/ftpusers, and ftp in as root.  ftpd will let
you in.

add any user to etc/ftpchroot, and ftp in as that user.  ftpd will
not do a chroot() to that user's $HOME.

>Fix:
>Audit-Trail:
>Unformatted: